Thanks for the reply Gemma. I'm still not sure about categories here because the link you provided refers to category of purpose and category of processing and category of controllers. So is Moodle's category covering all of those, and does it have any bearing on processing within the GDPR plugins?
Security and privacy
GDPR plugins - Category & Purpose
It is very difficult to give examples on this point, since it is for every organization different on how to implement this part.
The idea behind the Data registry is that a DPO can set purposes (why the organisation is processing data) with retention periods en categories for data stored in Moodle in the data registry.
By example you make a category Identifcation data with the purpose student administration.
Please bare in mind - this is an example - which does not necessary counts for your organization.
If you get stuck on this part, the only and best advice someone can give you is to contact yoru organizations IT depertmant or specialist on GDPR.
For this example see: https://docs.moodle.org/34/en/Data_privacy_plugin
And you might already have read: https://docs.moodle.org/34/en/GDPR_for_administrators
I appreciate the explanation. I will of course be speaking to our DPO soon, so no doubt they'd have something to add. I guess the bit I'm a bit fixated about is "what does it do in Moodle?"
As far as I can tell, the category is just a label and a description that is only seen by the DPO and has no function in code. i.e. The requestee doesn't see it, and it's not adding anything to the processing of requests within Moodle - as far as I can tell atm.
"Purpose" at least contributes a retention period and a setting to determine if this trumps a requestee's right to be forgotten. So it's not so much the legislation I'm concerned with as Moodle processing.
The category is not associated with any processing in Moodle.
I'm not a lawyer, but my understanding is that this category is part of the requirement that all user data should have an explanation as to why it is being processed, and the type of personal data and the categories of data subjects. The idea is that this registry forms part of a report to be displayed to the Data Protection Officer in an audit, to display compliance by the institution. This category is linked to the user data, but no further processing is done.
I would highly recommend seeking professional advice as to how this information should be filled in to make sure that you site is compliant.